rewrite api/posts/delete to be more secure and add unit tests for it
git-svn-id: https://semanticscuttle.svn.sourceforge.net/svnroot/semanticscuttle/trunk@769 b3834d28-1941-0410-a4f8-b48e95affb8f
This commit is contained in:
parent
df8216d607
commit
22c9a01ee8
3 changed files with 62 additions and 28 deletions
|
@ -176,7 +176,10 @@ class SemanticScuttle_Service_Bookmark extends SemanticScuttle_DbService
|
||||||
* Retrieves a bookmark with the given URL.
|
* Retrieves a bookmark with the given URL.
|
||||||
* DOES NOT RESPECT PRIVACY SETTINGS!
|
* DOES NOT RESPECT PRIVACY SETTINGS!
|
||||||
*
|
*
|
||||||
* @param string $address URL to get bookmarks for
|
* @param string $address URL to get bookmarks for
|
||||||
|
* @param boolean $all Retrieve from all users (true)
|
||||||
|
* or only bookmarks owned by the current
|
||||||
|
* user (false)
|
||||||
*
|
*
|
||||||
* @return mixed Array with bookmark data or false in case
|
* @return mixed Array with bookmark data or false in case
|
||||||
* of an error (i.e. not found).
|
* of an error (i.e. not found).
|
||||||
|
@ -184,9 +187,9 @@ class SemanticScuttle_Service_Bookmark extends SemanticScuttle_DbService
|
||||||
* @uses getBookmarkByHash()
|
* @uses getBookmarkByHash()
|
||||||
* @see getBookmarkByShortname()
|
* @see getBookmarkByShortname()
|
||||||
*/
|
*/
|
||||||
public function getBookmarkByAddress($address)
|
public function getBookmarkByAddress($address, $all = true)
|
||||||
{
|
{
|
||||||
return $this->getBookmarkByHash($this->getHash($address));
|
return $this->getBookmarkByHash($this->getHash($address), $all);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -195,16 +198,19 @@ class SemanticScuttle_Service_Bookmark extends SemanticScuttle_DbService
|
||||||
* Retrieves a bookmark with the given hash.
|
* Retrieves a bookmark with the given hash.
|
||||||
* DOES NOT RESPECT PRIVACY SETTINGS!
|
* DOES NOT RESPECT PRIVACY SETTINGS!
|
||||||
*
|
*
|
||||||
* @param string $hash URL hash
|
* @param string $hash URL hash
|
||||||
|
* @param boolean $all Retrieve from all users (true)
|
||||||
|
* or only bookmarks owned by the current
|
||||||
|
* user (false)
|
||||||
*
|
*
|
||||||
* @return mixed Array with bookmark data or false in case
|
* @return mixed Array with bookmark data or false in case
|
||||||
* of an error (i.e. not found).
|
* of an error (i.e. not found).
|
||||||
*
|
*
|
||||||
* @see getHash()
|
* @see getHash()
|
||||||
*/
|
*/
|
||||||
public function getBookmarkByHash($hash)
|
public function getBookmarkByHash($hash, $all = true)
|
||||||
{
|
{
|
||||||
return $this->_getbookmark('bHash', $hash, true);
|
return $this->_getbookmark('bHash', $hash, $all);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -202,8 +202,9 @@ class Api_PostsDeleteTest extends TestBaseApi
|
||||||
//send request
|
//send request
|
||||||
$res = $req->send();
|
$res = $req->send();
|
||||||
|
|
||||||
//401 - unauthorized
|
//404 - user does not have that bookmark
|
||||||
$this->assertEquals(401, $res->getStatus());
|
$this->assertEquals(404, $res->getStatus());
|
||||||
|
|
||||||
//verify MIME content type
|
//verify MIME content type
|
||||||
$this->assertEquals(
|
$this->assertEquals(
|
||||||
'text/xml; charset=utf-8',
|
'text/xml; charset=utf-8',
|
||||||
|
@ -211,10 +212,10 @@ class Api_PostsDeleteTest extends TestBaseApi
|
||||||
);
|
);
|
||||||
|
|
||||||
//verify xml
|
//verify xml
|
||||||
$this->assertNotTag(
|
$this->assertTag(
|
||||||
array(
|
array(
|
||||||
'tag' => 'result',
|
'tag' => 'result',
|
||||||
'attributes' => array('code' => 'done')
|
'attributes' => array('code' => 'something went wrong')
|
||||||
),
|
),
|
||||||
$res->getBody(),
|
$res->getBody(),
|
||||||
'', false
|
'', false
|
||||||
|
|
|
@ -1,33 +1,60 @@
|
||||||
<?php
|
<?php
|
||||||
// Implements the del.icio.us API request to delete a post.
|
/**
|
||||||
|
* API for deleting a bookmark.
|
||||||
// del.icio.us behavior:
|
* The delicious API is implemented here.
|
||||||
// - returns "done" even if the bookmark doesn't exist;
|
*
|
||||||
// - does NOT allow the hash for the url parameter;
|
* The delicious API behaves like that:
|
||||||
// - doesn't set the Content-Type to text/xml (we do).
|
* - returns "done" even if the bookmark doesn't exist
|
||||||
|
* - we do it correctly
|
||||||
|
* - does NOT allow the hash for the url parameter
|
||||||
|
* - doesn't set the Content-Type to text/xml
|
||||||
|
* - we do it correctly, too
|
||||||
|
*
|
||||||
|
* SemanticScuttle - your social bookmark manager.
|
||||||
|
*
|
||||||
|
* PHP version 5.
|
||||||
|
*
|
||||||
|
* @category Bookmarking
|
||||||
|
* @package SemanticScuttle
|
||||||
|
* @author Benjamin Huynh-Kim-Bang <mensonge@users.sourceforge.net>
|
||||||
|
* @author Christian Weiske <cweiske@cweiske.de>
|
||||||
|
* @author Eric Dane <ericdane@users.sourceforge.net>
|
||||||
|
* @license GPL http://www.gnu.org/licenses/gpl.html
|
||||||
|
* @link http://sourceforge.net/projects/semanticscuttle
|
||||||
|
*/
|
||||||
|
|
||||||
// Force HTTP authentication first!
|
// Force HTTP authentication first!
|
||||||
$httpContentType = 'text/xml';
|
$httpContentType = 'text/xml';
|
||||||
require_once 'httpauth.inc.php';
|
require_once 'httpauth.inc.php';
|
||||||
|
|
||||||
/* Service creation: only useful services are created */
|
$bs = SemanticScuttle_Service_Factory::get('Bookmark');
|
||||||
$bookmarkservice =SemanticScuttle_Service_Factory::get('Bookmark');
|
$uId = $userservice->getCurrentUserId();
|
||||||
|
|
||||||
|
|
||||||
// Note that del.icio.us only errors out if no URL was passed in; there's no error on attempting
|
|
||||||
// to delete a bookmark you don't have.
|
|
||||||
|
|
||||||
// Error out if there's no address
|
// Error out if there's no address
|
||||||
if (is_null($_REQUEST['url'])) {
|
if (!isset($_REQUEST['url'])
|
||||||
|
|| $_REQUEST['url'] == ''
|
||||||
|
) {
|
||||||
$deleted = false;
|
$deleted = false;
|
||||||
|
} else if (!$bs->bookmarkExists($_REQUEST['url'], $uId)) {
|
||||||
|
//the user does not have such a bookmark
|
||||||
|
// Note that del.icio.us only errors out if no URL was passed in;
|
||||||
|
// there's no error on attempting to delete a bookmark you don't have.
|
||||||
|
// this sucks, and I don't care about being different but correct here.
|
||||||
|
header('HTTP/1.0 404 Not Found');
|
||||||
|
$deleted = false;
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
$bookmark = $bookmarkservice->getBookmarkByAddress($_REQUEST['url']);
|
$bookmark = $bs->getBookmarkByAddress($_REQUEST['url'], false);
|
||||||
$bid = $bookmark['bId'];
|
$bId = $bookmark['bId'];
|
||||||
$delete = $bookmarkservice->deleteBookmark($bid);
|
$deleted = $bs->deleteBookmark($bId);
|
||||||
$deleted = true;
|
if (!$deleted) {
|
||||||
|
//something really went wrong
|
||||||
|
header('HTTP/1.0 500 Internal Server Error');
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Set up the XML file and output the result.
|
// Set up the XML file and output the result.
|
||||||
echo '<?xml version="1.0" standalone="yes" ?'.">\r\n";
|
echo '<?xml version="1.0" standalone="yes" ?' . ">\r\n";
|
||||||
echo '<result code="'. ($deleted ? 'done' : 'something went wrong') .'" />';
|
echo '<result code="' . ($deleted ? 'done' : 'something went wrong') . '" />';
|
||||||
?>
|
?>
|
Loading…
Reference in a new issue